Yes, Your Encrypted WhatsApp Messages Are Still Secret

Yes, Your Encrypted WhatsApp Messages Are Still Secret

Article excerpt

If you've recently seen headlines or tweets claiming that hackers
can get around WhatsApp's encryption, don't believe the hype.

Last week, the London cybersecurity firm Positive Technologies
boasted that it had discovered a vulnerability in a fundamental part
of the mobile communications infrastructure that rendered WhatsApp
encryption useless.

Later, however, the company admitted it may have overstated the
scope of the problem. Yes, they say criminals may be able to take
over your WhatsApp or Telegram account by exploiting flaws in the
Signaling System No. 7 (SS7) network that routes calls and text
messages around the world.

"It wouldn't render the encryption ineffective, but it would
still expose the user to be impersonated, and continue to be
impersonated," said Alex Mathews, a spokesman for Positive
Technologies. "The whole reason to come out with this angle is to
change the way the they are working," referring to WhatsApp and
Telegram security settings that he claims don't put enough of an
onus on users to verify their identity.

But experts don't think that just any hacker can break into your
WhatsApp account. They'd need access to SS7 - typically controlled
by phone carriers and national operators - specialized software, the
user's cellphone number, and the subscriber identity.

What can be exploited, according to Mr. Mathews' team, are
security protocols in SS7 that could allow hackers to steal
verification codes to register fraudulent accounts. In fact, using a
Linux-enabled laptop loaded with SS7 access and specialized
software, Positive Technologies said it could impersonate WhatsApp
and Telegram users.

The Positive Technologies report followed a widely publicized
segment on SS7 vulnerabilities on "60 Minutes," adding to the hype
about flaws in the mobile backbone. On an April episode of the CBS
News program, German security researcher Karsten Nohl exploited SS7 -
which transfers mobile traffic from cellphone towers to the Internet
- to snoop on an iPhone belonging to Rep. Ted Lieu (D) of
California, reading calls, e-mails, and text messages.

"This can be done either by a telecom operator or by third-
parties that manage to co-opt or infiltrate a telecom provider,"
said Markus Ra, a Telegram spokesman. …